[Snort-users] What's the fuss about string matching ?

Jason Haar Jason.Haar at ...294...
Mon May 27 14:43:02 EDT 2002

On Mon, May 27, 2002 at 12:46:30PM -0700, Pawel Rogocz wrote:
> 1. Lots of traffic is encrypted these days.
> 2. What's the point in watching for a known vulnerability, if you know
> your system is not vulnerable ? Do you want to be woken up at 3 a.m.
> because someone sent you a malformed packet ? Given the fact that all 
> alerts in snort are based on known vulnerabiliies, you should patch your
> systems or take them off-line.

Big assumption there. Most large networks have multiple owners of the kit in
DMZs/etc. As such, it cannot be assumed that they *all* are upgraded
immediately after an exploit is discovered. In fact, the reality is that
most of the business owners aren't even up to the task... :-(

None of this applies to people on this list of course :-)

What you find is that people suddenly get frightened and act when they hear
that someone is knocking on the door. That is the up-side to running an IDS.
It's still commonly believed that no-one will have a go at "our box" as
"there are more interesting targets out there". Obviously with automated
attacks that is erroneous - but it's still thought of that way :-(

> It would be more effective for an IDS to alert when a succesful intrusion 
> was detected, but in many environments this can easily be done 
> with a sniffer like tcpdump.

Absolutely. I for one do both. Standard firewalls are great at blocking AND
LOGGING attempts from DMZ hosts to make network connections they're not
meant to ever need to do (more specifically, make a network connection other
than those allowed...)

...but lay off the "active" IDSes as a means of thwarting attacks. Boy, was
my face red when I discovered the reason why our internal staff couldn't
upload a particular binary to their own DMZ Web server was because Snort
thought it was a trojan - and RSET it ;-) ("I don't understand, it gets
1.2Mb into the upload and then dies - every time!!!") ;-)


Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list